The systems to secure payments over the Internet have been improved since their inception in the mid 1990's to the point where directly related credit card fraud has achieved parity with that of other Cardholder Not Present (CNP) transactions. However, lack of understanding of these methods combined with a disparate media focus on the few cases of fraud that do occur have resulted in a consistently low level of consumer confidence.
Attempts to increase the customer's perception of security, by guaranteeing re-imbursement for contested CNP transactions, has merely exacerbated the problem from the other direction. Many of the smaller online merchants have withdrawn acceptance of credit card transactions because they are unable to support the repeated non-payment of goods that is associated with customers who contest transactions, either genuinely or fraudulently.
The problems that exist are systematic of the methods and conventions by which payments over the Internet are processed. The customer is required to provide to the merchant all of the relevant details of their payment card—such as Primary Account Number (PAN), expiry date, etc—which enables the merchant to then charge the fee to this card. The mechanics of this payment involve the merchant sending a payment request that includes the customer's payment details to the financial institution that holds their bank account, or to a financial service provider who facilitates the connection between merchants and their financial institutions. The merchant's financial institution, referred to as the Acquiring bank, then sends an authorization message to the financial institution that issued the payment card, the details of which were provided by the customer. This message is sent through an inter-bank network, usually maintained by a third party such as a large payment card authority such as MasterCard, VISA or other provider. The financial institution that issued the payment card is identified by the first 6 digits of the payment card number, known as the Bank Issuer Number (BIN).
However, there is no way to ensure that the details provided to the merchant by the customer genuinely belong to that customer, and have not been fraudulently obtained. It is this inability to confirm the presence of the actual owner of the card that leads to such a high percentage of ‘charge backs’, or transactions where the customer denies taking part in the transaction. Traditionally, if the customer challenges a transaction and the merchant is unable to present proof of their authorization—such as a signature—the money is refunded to the customer, and the merchant must cover the loss.
Customers are also disenfranchised from utilizing Internet payment options because of fear of the theft of their card details. This theft can occur during the transaction itself, or may occur after the fact due to an insecurity of the merchant's web store. Many merchants maintain a database of customer card details, ostensibly to streamline repeat purchases for the consumer, and these databases become attractive targets to the criminal fraternity. Indeed, it is this persistence of the customer's sensitive information that frightens many consumers the most. Although transactions that result from such a ‘stolen card’ may be ‘charged back’ to the merchant, the inconvenience of doing so, coupled with the burden of obtaining a new card, is enough to discourage many consumers.
Systems and methods such as those disclosed in U.S. Pat. No. 6,098,053, U.S. 2002/0123972A1, U.S. 2003/0140004A1, U.S. 2002/0077978A1, and U.S. 2003/0154139A1 have attempted to provide a solution to this problem by integrating traditional EFTPOS functionality into the Internet payment arena. In these documents methods are taught that involve the use of an EFTPOS device that is held and maintained by the customer for the purposes of making a secure payment to the merchant without fear of fraud. As the customer's payment details are not passed to the merchant, or passed to the merchant only in encrypted form, there is no risk that they will be compromised, at any stage. However, these systems require fundamental changes to the interaction between customer, merchant, and the banking institutions. The merchant is required to change their ‘web store’ purchase systems, and the relationship between the merchant and its Acquirer is removed from the transaction. However, without the support of the merchants, there is no incentive for the customer to participate in the system, indeed with no merchant support there is no system for the customer to take part in. Conversely, there is no incentive for the merchant to alter their payment systems without a large customer base able to utilize these changes. Therefore any such revolutionary system faces a fundamental challenge to gain momentum in a market dominated by an alternative paradigm, and this problem has prevented the uptake of these systems.
Alternatively, other systems provide the customer with a single use PAN, which can only be used for one transaction. This removes the risk associated with the theft of the customer's details, as they are not useful outside the context of a single transaction that the customer has already performed This system has merits, but can be seen to protect only the customer in the transaction, while proving no benefit to the merchant. As indicated above, the high level of ‘charge backs’ generated through internet commerce is a key problem in increasing revenues in this field, and any system that does not provide benefit for the merchant faces a high barrier to entry in the market. These systems also suffer from the requirement that the card Issuer must alter their host systems to correctly identify and interpret the substituted PAN as belonging to the customer who initiated the transaction. Alterations to these banking systems are costly and time-consuming due the high quality assurance and certification requirements that must be met. Additionally, these systems are incompatible with some merchant purchase software (such as the ‘one click’ systems) where the customer is expected to use a single card number for many transactions. Finally, the customer is limited to using only cards that provide this replacement PAN facility for any transaction that they perform on the internet. This limits the purchase and payment choices of the consumer, therefore reducing the appeal of Internet commerce to them.
A similar system is disclosed in US patent application no. 2003/0195842A1, however the system described therein is further limited in its application by necessitating the use of stored value payment cards by the customer.
Another method for securing of Internet transactions is taught by US patent application no. US2003/0097343A1. This system requires an intermediary party, referred to as a processing centre, to act as a conduit through which the transaction is conducted. Customer security is provided by reducing the exposure of customers' payment details to a single trusted party, rather than a plurality of merchants. However, this system similarly suffers from the requirement for a system wide paradigm shift in the method by which Internet payments are made.
U.S. Pat. No. 5,809,143 teaches the use of a secure keyboard for Internet commerce transactions. This system provides secure entry of card holder information, such as account number and PIN. However, the mechanisms for interaction with the merchant are altered once again. Additionally, the requirement for a secondary communications means limits the application of this system in the present environment.
Accordingly, there is a need for a system that can provide benefit to all involved parties—customer, merchant, and financial institutions—and that can be deployed and applied immediately with no impact any party other than the customer who uses the system.
It is therefore an object of the present invention to provide a method and system for authenticating identifying information, such as account number and PIN, provided by a user of a public data network, such as the Internet, that mitigates the aforementioned problems of the prior art.
Any discussion of documents, devices, acts or knowledge in this specification is included to explain the context of the invention. It should not be taken as an admission that any of the material formed part of the prior art base or the common general knowledge in the relevant art on or before the priority date of the claims herein.